GitLab GLAZ Gem

[!WARNING] This gem is currently designed entirely for internal use at GitLab.

Ruby bindings for the Glaz authorization engine. A thin Magnus FFI extension exposes the Rust glaz-module engine to Ruby, so Cedar policy checks run in-process.

Installation

Requires Ruby >= 3.1 and a Rust toolchain. Add to your Gemfile:

gem 'gitlab-glaz', path: 'gems/gitlab-glaz'

Usage

require 'gitlab-glaz'

engine = Gitlab::Glaz::Engine.new(schema: cedar_schema, policies: cedar_policies)

engine.check_action(
  subject_uuid: user_uuid,
  object_uuid: project_uuid,
  action: 'read_docs',
  context: {}
)
# => { allowed: true, reason: 'permit_granted' }

# Swap the policy set at runtime; the previous set stays active if the
# new source fails to parse or validate against the schema:
engine.load_policies(new_cedar_policies)

The schema is loaded once at construction and cannot change; build a new engine to use a new schema.

Schemas must declare User and Resource entities (checks build User::"<subject_uuid>" and Resource::"<object_uuid>" UIDs), and every action's context type must include user_permissions: Set<Action>, which the engine injects with the checked action.

Development

bundle exec rake compile  # build the native extension (required before rspec)
bundle exec rspec

The extension crate lives in ext/glaz/; shared Rust dependencies are declared in the root Cargo.toml.

Releasing a new version

Create a merge request using the Release template and follow its instructions. Once merged, precompiled native gems are published to RubyGems automatically.

License

Released under the MIT License.